Justanotherhacker.com Website Review

The username and pas*word fields are vulnerable to command injection when adding a new project. There are several SQL injection vulnerabilties in the project. Accept-Encoding: gzip,deflate Accept-Language: en-US,en;q=0.8 The add a project page will request urls provided for a svn repository to ensure its a valid svn repository, an attacker can abuse this to There are both persistent and reflected xss in this project: Accept-Encoding: gzip,deflate Accept-Language: en-US,en;q=0.8 ties up a web server thread. Multiple similtaneous requests to this url will cause resource exhaustion and render the web server The svn update function executes with username and pas*word as command line arguments. In shared environments other users may be able to Upgrade to the latest version or seek an alternative as the vendor deemed some of these issue acceptable. Posted by Eldar Marcussen on Thu Sep 15 02:15:00 EDT 2016 These vulnerabilities were discovered by Eldar Wireghoul Marcussen. TCP and XOT, X.25 and XOT, data conversion, a Triple-X PAD, Host PAD, an extension for special POS protocols and even an X.25 switch all at The device has a default login of admin with the pas*word farlinx and while it does allow the pas*word to be changed the username is hardcoded in the device Apache configuration and cannot be changed. The file 'fsSaveUIPersistence.php' will write user supplied data to the file 'fsUI.xyz' with minimal changes. This can be used to place attacker controlled code on the file system. This can easily be identifiedby examining the file source:     $pFile = fopen(fsUI.xyz, w+);     if(fwrite($pFile, $strReceivedata) == false)  There are several php scripts based around log handling that are vulnerable to directory traversal. The following examples are Several command injection vulnerabilities were identified in the following scripts: sysSaveMonitorData.php, fsx25MonProxy.php, syseditdate.php, iframeupload.php and sysRestoreX25Cplt.php. The following example is provided: